<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>iRedMail Easy: Setup SSL support for Windows Active Directory</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>

    <div id="navigation">
    <a href="https://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="iredmail-easy-setup-ssl-support-for-windows-active-directory">iRedMail Easy: Setup SSL support for Windows Active Directory</h1>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Check out the lightweight on-premises email archiving software developed by iRedMail team: <a href="https://spiderd.io/">Spider Email Archiver</a>.</p>
</div>
<div class="toc">
<ul>
<li><a href="#iredmail-easy-setup-ssl-support-for-windows-active-directory">iRedMail Easy: Setup SSL support for Windows Active Directory</a><ul>
<li><a href="#summary">Summary</a></li>
<li><a href="#enable-active-directory-certificate-services">Enable Active Directory Certificate Services</a></li>
<li><a href="#create-a-self-signed-certificate">Create a self-signed certificate</a><ul>
<li><a href="#test-ldaps">Test LDAPS</a></li>
</ul>
</li>
</ul>
</li>
</ul>
</div>
<h2 id="summary">Summary</h2>
<p>Windows Active Directory requires secure connection for updating user password
from another host via LDAP protocol. In this tutorial, we will show you how to
setup SSL support for Active Directory with a self-signed ssl cert.</p>
<p>This tutorial has been tested on:</p>
<ul>
<li>Windows Server 2012</li>
</ul>
<p>If it works for you on different Windows Server version, please let us know.</p>
<h2 id="enable-active-directory-certificate-services">Enable Active Directory Certificate Services</h2>
<ul>
<li>Click <code>Start</code> on bottom-left corner of your Windows OS, click <code>Server Manager</code>.</li>
</ul>
<p><img alt="" src="./images/ad/start-server-manager.png" /></p>
<ul>
<li>Click <code>Manage</code> on top-right corner, click <code>Add Roles and Features</code>.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/server-manager-add-roles-and-features.png" width="1024px" /></p>
<ul>
<li>Click <code>Next</code>:</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_1.png" /></p>
<ul>
<li>Choose <code>Role-based or feature-based installation</code>. Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_2.png" /></p>
<ul>
<li>Select your server from the server pool. Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_3.png" /></p>
<ul>
<li>Choose <code>Active Directory Certificate Services</code> from the list, and click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_4-1.png" /></p>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_4-2.png" /></p>
<ul>
<li>Click Next directly without choosing any item from list on the <code>Features</code> page.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_5.png" /></p>
<ul>
<li>Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_6.png" /></p>
<ul>
<li>Toggle on <code>Certificate Authority</code> and click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_7.png" /></p>
<ul>
<li>Click <code>Install</code> to install selected roles/features.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_8.png" /></p>
<ul>
<li>It may take some time to finish, after finished, close the wizard window.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/setup_ad_ssl_9.png" /></p>
<h2 id="create-a-self-signed-certificate">Create a self-signed certificate</h2>
<p>Now let’s create a certificate using AD CS Configuration Wizard, To open the wizard:</p>
<ul>
<li>Click <code>Start</code> on bottom-left corner of your Windows OS, click <code>Server Manager</code>.</li>
</ul>
<p><img alt="" src="./images/ad/start-server-manager.png" /></p>
<ul>
<li>Click <code>Alert Flag</code> on top-right corner, click <code>Configure Active Directory Certificate Services on the destincation server</code>.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/server_manager_configuration_ad_certificate.png" /></p>
<ul>
<li>Click <code>Next</code>:</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_1.png" /></p>
<ul>
<li>Choose <code>Certification Authority</code>. Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_2.png" /></p>
<ul>
<li>Choose <code>Enterprise CA</code>. Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_3.png" /></p>
<ul>
<li>Choose <code>Root CA</code> as the type of CA, click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_4.png" /></p>
<ul>
<li>Since we do not possess a private key – let’s create a new one. choose <code>Create a new private key</code>, Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_5.png" /></p>
<ul>
<li>Choose <code>SHA1</code> as the Hash algorithm, change key lenth to <code>4096</code>, Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_6.png" /></p>
<ul>
<li>Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_7.png" /></p>
<ul>
<li>Specifying validity period of the certificate. Choosing <code>99 years</code>. Click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_8.png" /></p>
<ul>
<li>Choose default database locations, click Next.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_9.png" /></p>
<ul>
<li>Click Configure to confirm.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_10.png" /></p>
<ul>
<li>Once the configuration is successful/complete. Click Close.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/config_ad_ssl_11.png" /></p>
<ul>
<li>Restart system.</li>
</ul>
<h3 id="test-ldaps">Test LDAPS</h3>
<p>After restart system, we can connect to the LDAP server over SSL.
Now let us try to connect to LDAP Server (with and without SSL) using the ldp.exe tool.</p>
<p>Connection strings for:</p>
<ul>
<li><code>LDAP:\\ad.iredmail.org:389</code></li>
<li>
<p><code>LDAPS:\\ad.iredmail.org:636</code></p>
</li>
<li>
<p>Click <code>Start</code> on bottom-left corner of your Windows OS,</p>
</li>
<li>Click <code>Search</code> on top-right corner, enter <code>ldp.exe</code> in the input box.</li>
<li>Connection and fill in the following parameters and click OK to connect:</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/test_ldap_1.png" /></p>
<ul>
<li>If Connection is successful, you will see the following message in the ldp.exe tool:</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/test_ldap_2.png" /></p>
<ul>
<li>To Connect to LDAPS (LDAP over SSL), use port 636 and mark SSL. Click OK to connect.</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/test_ldaps_1.png" /></p>
<ul>
<li>If connection is successful, you will see the following message in the ldp.exe tool:</li>
</ul>
<p><img alt="" src="./images/setup.ad.ssl/test_ldaps_2.png" /></p><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>